Merge pull request #835 from catenacyber/fuzzfix

Fuzz fixes
2026-05-06 03:45:32 +00:00 · 2020-02-02 16:17:03 +01:00 · 2020-02-02 16:17:03 +01:00 · 8486eb08ea
commit 8486eb08ea
parent 39b1ad3087 0bf2ca56a8
4 changed files with 10 additions and 8 deletions
--- a/example/reader_util.c
+++ b/example/reader_util.c
@ -898,6 +898,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info6(struct ndpi_workflow * workflo
 						  ndpi_packet_tunnel tunnel_type,
 						  const struct ndpi_ipv6hdr *iph6,
 						  u_int16_t ip_offset,
+						  u_int16_t ipsize,
 						  struct ndpi_tcphdr **tcph,
 						  struct ndpi_udphdr **udph,
 						  u_int16_t *sport, u_int16_t *dport,
@ -923,8 +924,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info6(struct ndpi_workflow * workflo
  }

  return(get_ndpi_flow_info(workflow, 6, vlan_id, tunnel_type,
-			    &iph, iph6, ip_offset,
-			    sizeof(struct ndpi_ipv6hdr),
+			    &iph, iph6, ip_offset, ipsize,
 			    ntohs(iph6->ip6_hdr.ip6_un1_plen),
 			    tcph, udph, sport, dport,
 			    src, dst, proto, payload,
@ -1162,7 +1162,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow,
 			      &payload, &payload_len, &src_to_dst_direction, when);
  else
    flow = get_ndpi_flow_info6(workflow, vlan_id,
-			       tunnel_type, iph6, ip_offset,
+			       tunnel_type, iph6, ip_offset, ipsize,
 			       &tcph, &udph, &sport, &dport,
 			       &src, &dst, &proto,
 			       &payload, &payload_len, &src_to_dst_direction, when);
@ -1603,7 +1603,8 @@ ether_type_check:

    if(iph->protocol == IPPROTO_IPV6) {
      ip_offset += ip_len;
-      goto iph_check;
+      if (ip_len > 0)
+        goto iph_check;
    }

    if((frag_off & 0x1FFF) != 0) {
--- a/fuzz/fuzz_process_packet.c
+++ b/fuzz/fuzz_process_packet.c
@ -4,7 +4,6 @@
 #include <stdio.h>

 struct ndpi_detection_module_struct *ndpi_info_mod = NULL;
-struct ndpi_flow_struct *ndpi_flow;
 struct ndpi_id_struct *src;
 struct ndpi_id_struct *dst;

@ -14,15 +13,16 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
    NDPI_PROTOCOL_BITMASK all;
    NDPI_BITMASK_SET_ALL(all);
    ndpi_set_protocol_detection_bitmask2(ndpi_info_mod, &all);
-    ndpi_flow = ndpi_flow_malloc(SIZEOF_FLOW_STRUCT);
    src = ndpi_malloc(SIZEOF_ID_STRUCT);
    dst = ndpi_malloc(SIZEOF_ID_STRUCT);
  }

+  struct ndpi_flow_struct *ndpi_flow = ndpi_flow_malloc(SIZEOF_FLOW_STRUCT);
  memset(ndpi_flow, 0, SIZEOF_FLOW_STRUCT);
  memset(src, 0, SIZEOF_ID_STRUCT);
  memset(dst, 0, SIZEOF_ID_STRUCT);
  ndpi_detection_process_packet(ndpi_info_mod, ndpi_flow, Data, Size, 0, src, dst);
+  ndpi_free_flow(ndpi_flow);

  return 0;
 }
--- a/src/lib/protocols/dns.c
+++ b/src/lib/protocols/dns.c
@ -282,7 +282,7 @@ static void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, st
 	u_int32_t shift;
 	
 	c = flow->packet.payload[off++];
-	shift = 1 << (c & 0x1f);
+	shift = ((u_int32_t) 1) << (c & 0x1f);
 	flow->host_server_name[j++] = tolower((dns_validchar[c >> 5] & shift) ? c : '_');
 	cl--;
      }
--- a/src/lib/protocols/memcached.c
+++ b/src/lib/protocols/memcached.c
@ -105,7 +105,7 @@ void ndpi_search_memcached(
 {
  struct ndpi_packet_struct *packet = &flow->packet;
  const u_int8_t *offset = packet->payload;
-  const u_int16_t length = packet->payload_packet_len;
+  u_int16_t length = packet->payload_packet_len;
  u_int8_t *matches;

  NDPI_LOG_DBG(ndpi_struct, "search memcached\n");
@ -131,6 +131,7 @@ void ndpi_search_memcached(
    }

    offset += MEMCACHED_UDP_HDR_LEN;
+    length -= MEMCACHED_UDP_HDR_LEN;
    matches = &flow->l4.udp.memcached_matches;
  }
  else {